Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.
Problem types
CWE-190: Integer Overflow or Wraparound
CWE-407: Inefficient Algorithmic Complexity
CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-502: Deserialization of Untrusted Data
CWE-674: Uncontrolled Recursion
CWE-789: Memory Allocation with Excessive Size Value
CWE-1188: Insecure Default Initialization of Resource
Product status
< 2.5.301
References
github.com/...CSharp/security/advisories/GHSA-382j-8mxh-c7x2